hi i have been creating a website it works perfect on my localhost (using WAMP) then when i uploaded it to the web it has a bug. When i login it sets a session varible 'status' this varible works fine untill i press the back button on the browser then it resets the varible and i have to log in again.

What does phpinfo() have to say about sessions? There's a sessions section in phpinfo, which has a line entitled "Session Support". Is that enabled? Also you might want to compare the output from the server with the output you get when running it locally.

Do you have access to /tmp on the server to see if session files are indeed being created?

________________________________

adamForum Moderator & Developer

Joined: 26 Jul 2002
Posts: 704
Location: UK

Posted:
Fri Sep 30, 2005 8:11 am (12 years, 2 months ago)

This isn't related to your question, but directly using a user-supplied variable in an SQL query can be a security risk - it would be easy for a malicious user to add their own SQL to the query and modify your database. Check out the mysql_real_escape_string() function.

________________________________It's turtles all the way down...

LaKaroTJunior WebHelper

Joined: 29 Sep 2005
Posts: 7

Posted:
Fri Sep 30, 2005 12:47 pm (12 years, 2 months ago)

Yes i have full rights to the site, i am in the temp file now and cant find any sessions at all. all i can see is a few graphs for the statistics section of the webserver, and a few folders:

thats all i really see, maybe shoudl the whole website be in the folder cgi-bin? it is currently in public_html and cgi-bin is a sub category... cheers for ur sujestions

LaKaroTJunior WebHelper

Joined: 29 Sep 2005
Posts: 7

Posted:
Fri Sep 30, 2005 12:51 pm (12 years, 2 months ago)

i am kinda new to the whole online thing and the whole malicious internet, i kinda thought i would be exposing myself by posting infomation on here, i cant really work out how a sql statment can be run via someone without access to the php code, or how someone can use "sql-injection" as it is called, although i will take those security holes into account, thanks for your input

adamForum Moderator & Developer

Joined: 26 Jul 2002
Posts: 704
Location: UK

Posted:
Fri Sep 30, 2005 1:23 pm (12 years, 2 months ago)

I'm guessing you're on a cPanel server? In which case, the tmp directory you see in FTP isn't the same one which is used by PHP to store session data.

________________________________It's turtles all the way down...

LaKaroTJunior WebHelper

Joined: 29 Sep 2005
Posts: 7

Posted:
Fri Sep 30, 2005 10:41 pm (12 years, 2 months ago)

where abouts would i see session data then i am on a cpanel server...

adamForum Moderator & Developer

Joined: 26 Jul 2002
Posts: 704
Location: UK

Posted:
Sat Oct 01, 2005 4:00 am (12 years, 2 months ago)

You won't be able to unless you're the server administrator. However, I think you can change the place where PHP stores the data though I can't remember exactly how.

________________________________It's turtles all the way down...

LaKaroTJunior WebHelper

Joined: 29 Sep 2005
Posts: 7

Posted:
Sat Oct 01, 2005 5:17 am (12 years, 2 months ago)

i am the administrator of the site

adamForum Moderator & Developer

Joined: 26 Jul 2002
Posts: 704
Location: UK

Posted:
Sat Oct 01, 2005 11:18 am (12 years, 2 months ago)

Administrator of the site and administrator of the server are two different things - the server administrator (i.e. the hosting company you're using) has access to a lot of stuff that you don't.

________________________________It's turtles all the way down...

LaKaroTJunior WebHelper

Joined: 29 Sep 2005
Posts: 7

Posted:
Sat Oct 01, 2005 12:07 pm (12 years, 2 months ago)

oh sweet i get u now, so any adivce to solve my probelm apart from whats given?

adamForum Moderator & Developer

Joined: 26 Jul 2002
Posts: 704
Location: UK

Posted:
Sat Oct 01, 2005 3:05 pm (12 years, 2 months ago)

I'm not sure exactly what the problem is. You say it logs you out when you click the back button? What page does that take you back to? Is there anything on that page that might modify $_SESSION?

Also, as a side note, you might want to use POST rather than GET for the login form. That way the user name and password won't be visible in the URL. (If it's visible in the URL, it will also show up in the browser's history, which could be a big security problem.)

You cannot post new topics in this forum.You cannot reply to topics in this forum.You cannot edit your posts in this forum.You cannot delete your posts in this forum.You cannot vote in polls in this forum.